CVE-2025-2921

CVE-2025-2921

Título es
CVE-2025-2921

Vie, 28/03/2025 – 18:15

Tipo
CWE-1393

Gravedad v2.0
6.20

Gravedad 2.0 Txt
MEDIUM

Título en

CVE-2025-2921

Descripción en
A vulnerability classified as critical has been found in Netis WF-2404 1.1.124EN. Affected is an unknown function of the file /etc/passwd. The manipulation with the input Realtek leads to use of default password. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

28/03/2025
28/03/2025
Vector CVSS:4.0
CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Vector CVSS:3.1
CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Vector CVSS:2.0
AV:L/AC:H/Au:N/C:C/I:C/A:C

Gravedad 4.0
5.40

Gravedad 4.0 txt
MEDIUM

Gravedad 3.1 (CVSS 3.1 Base Score)
6.40

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

  • https://scoozi.substack.com/p/hacking-a-netis-wf-2404-router-cont

  • https://vuldb.com/?ctiid_301896=

  • https://vuldb.com/?id_301896=

  • https://vuldb.com/?submit_521038=

  • https://scoozi.substack.com/p/hacking-a-netis-wf-2404-router-cont

    • Enviar en el boletín
    Off

    CVE-2025-2922

    CVE-2025-2922

    Título es
    CVE-2025-2922

    Vie, 28/03/2025 – 19:15

    Tipo
    CWE-310

    Gravedad v2.0
    1.20

    Gravedad 2.0 Txt
    LOW

    Título en

    CVE-2025-2922

    Descripción en
    A vulnerability classified as problematic was found in Netis WF-2404 1.1.124EN. Affected by this vulnerability is an unknown functionality of the component BusyBox Shell. The manipulation leads to cleartext storage of sensitive information. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

    28/03/2025
    28/03/2025
    Vector CVSS:4.0
    CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

    Vector CVSS:2.0
    AV:L/AC:H/Au:N/C:P/I:N/A:N

    Gravedad 4.0
    1.00

    Gravedad 4.0 txt
    LOW

    Gravedad 3.1 (CVSS 3.1 Base Score)
    2.00

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    LOW

    Referencias

  • https://scoozi.substack.com/p/hacking-a-netis-wf-2404-router-with

  • https://vuldb.com/?ctiid_301897=

  • https://vuldb.com/?id_301897=

  • https://vuldb.com/?submit_521039=

    • Enviar en el boletín
    Off

    CVE-2025-2923

    CVE-2025-2923

    Título es
    CVE-2025-2923

    Vie, 28/03/2025 – 19:15

    Tipo
    CWE-119

    Gravedad v2.0
    1.70

    Gravedad 2.0 Txt
    LOW

    Título en

    CVE-2025-2923

    Descripción en
    A vulnerability, which was classified as problematic, has been found in HDF5 up to 1.14.6. Affected by this issue is the function H5F_addr_encode_len of the file src/H5Fint.c. The manipulation of the argument pp leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used.

    28/03/2025
    28/03/2025
    Vector CVSS:4.0
    CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

    Vector CVSS:2.0
    AV:L/AC:L/Au:S/C:N/I:N/A:P

    Gravedad 4.0
    4.80

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    3.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    LOW

    Referencias

  • https://github.com/HDFGroup/hdf5/issues/5381

  • https://vuldb.com/?ctiid_301898=

  • https://vuldb.com/?id_301898=

  • https://vuldb.com/?submit_521151=

    • Enviar en el boletín
    Off

    CVE-2025-2924

    CVE-2025-2924

    Título es
    CVE-2025-2924

    Vie, 28/03/2025 – 20:15

    Tipo
    CWE-119

    Gravedad v2.0
    1.70

    Gravedad 2.0 Txt
    LOW

    Título en

    CVE-2025-2924

    Descripción en
    A vulnerability, which was classified as problematic, was found in HDF5 up to 1.14.6. This affects the function H5HL__fl_deserialize of the file src/H5HLcache.c. The manipulation of the argument free_block leads to heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.

    28/03/2025
    28/03/2025
    Vector CVSS:4.0
    CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

    Vector CVSS:2.0
    AV:L/AC:L/Au:S/C:N/I:N/A:P

    Gravedad 4.0
    4.80

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    3.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    LOW

    Referencias

  • https://github.com/HDFGroup/hdf5/issues/5382

  • https://vuldb.com/?ctiid_301899=

  • https://vuldb.com/?id_301899=

  • https://vuldb.com/?submit_521170=

  • https://github.com/HDFGroup/hdf5/issues/5382

    • Enviar en el boletín
    Off

    CVE-2025-2920

    CVE-2025-2920

    Título es
    CVE-2025-2920

    Vie, 28/03/2025 – 18:15

    Tipo
    CWE-327

    Gravedad v2.0
    1.20

    Gravedad 2.0 Txt
    LOW

    Título en

    CVE-2025-2920

    Descripción en
    A vulnerability was found in Netis WF-2404 1.1.124EN. It has been rated as problematic. This issue affects some unknown processing of the file /еtc/passwd. The manipulation leads to use of weak hash. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

    28/03/2025
    28/03/2025
    Vector CVSS:4.0
    CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

    Vector CVSS:2.0
    AV:L/AC:H/Au:N/C:P/I:N/A:N

    Gravedad 4.0
    1.00

    Gravedad 4.0 txt
    LOW

    Gravedad 3.1 (CVSS 3.1 Base Score)
    2.00

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    LOW

    Referencias

  • https://scoozi.substack.com/p/hacking-a-netis-wf-2404-router-cont

  • https://vuldb.com/?ctiid_301895=

  • https://vuldb.com/?id_301895=

  • https://vuldb.com/?submit_521037=

    • Enviar en el boletín
    Off

    CVE-2025-2919

    CVE-2025-2919

    Título es
    CVE-2025-2919

    Vie, 28/03/2025 – 18:15

    Tipo
    CWE-489

    Gravedad v2.0
    7.20

    Gravedad 2.0 Txt
    HIGH

    Título en

    CVE-2025-2919

    Descripción en
    A vulnerability was found in Netis WF-2404 1.1.124EN. It has been declared as critical. This vulnerability affects unknown code of the component UART. The manipulation leads to hardware allows activation of test or debug logic at runtime. It is possible to launch the attack on the physical device. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

    28/03/2025
    28/03/2025
    Vector CVSS:4.0
    CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Vector CVSS:2.0
    AV:L/AC:L/Au:N/C:C/I:C/A:C

    Gravedad 4.0
    7.00

    Gravedad 4.0 txt
    HIGH

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://scoozi.substack.com/p/hacking-a-netis-wf-2404-router-with

  • https://vuldb.com/?ctiid_301894=

  • https://vuldb.com/?id_301894=

  • https://vuldb.com/?submit_521036=

  • https://scoozi.substack.com/p/hacking-a-netis-wf-2404-router-with

    • Enviar en el boletín
    Off

    CVE-2025-2917

    CVE-2025-2917

    Título es
    CVE-2025-2917

    Vie, 28/03/2025 – 18:15

    Tipo
    CWE-22

    Gravedad v2.0
    4.00

    Gravedad 2.0 Txt
    MEDIUM

    Título en

    CVE-2025-2917

    Descripción en
    A vulnerability, which was classified as problematic, was found in ChestnutCMS up to 1.5.3. Affected is the function readFile of the file /dev-api/cms/file/read. The manipulation of the argument filePath leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

    28/03/2025
    28/03/2025
    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

    Vector CVSS:2.0
    AV:N/AC:L/Au:S/C:P/I:N/A:N

    Gravedad 4.0
    5.30

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    4.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://r0ot.notion.site/ChestnutCMS-1-5-3-Arbitrary-file-read-vulnerability-1ae27d744f7f8074a169ca849e8a1d31?pvs=4

  • https://vuldb.com/?ctiid_301890=

  • https://vuldb.com/?id_301890=

  • https://vuldb.com/?submit_520933=

  • https://r0ot.notion.site/ChestnutCMS-1-5-3-Arbitrary-file-read-vulnerability-1ae27d744f7f8074a169ca849e8a1d31

    • Enviar en el boletín
    Off

    CVE-2025-31164

    CVE-2025-31164

    Título es
    CVE-2025-31164

    Vie, 28/03/2025 – 18:15

    Tipo
    CWE-122

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-31164

    Descripción en
    heap-buffer overflow in fig2dev in version 3.2.9a allows an attacker to availability via local input manipulation via  create_line_with_spline.

    28/03/2025
    28/03/2025
    Vector CVSS:3.1
    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.60

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://sourceforge.net/p/mcj/tickets/184/

    • Enviar en el boletín
    Off

    CVE-2025-31163

    CVE-2025-31163

    Título es
    CVE-2025-31163

    Vie, 28/03/2025 – 18:15

    Tipo
    CWE-476

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-31163

    Descripción en
    Segmentation fault in fig2dev in version 3.2.9a allows an attacker to availability via local input manipulation via put_patternarc function.

    28/03/2025
    28/03/2025
    Vector CVSS:3.1
    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.60

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://sourceforge.net/p/mcj/tickets/186/

    • Enviar en el boletín
    Off

    CVE-2025-31162

    CVE-2025-31162

    Título es
    CVE-2025-31162

    Vie, 28/03/2025 – 18:15

    Tipo
    CWE-369

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-31162

    Descripción en
    Floating point exception in fig2dev in version 3.2.9a allows an attacker to availability via local input manipulation via get_slope function.

    28/03/2025
    28/03/2025
    Vector CVSS:3.1
    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.60

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://sourceforge.net/p/mcj/tickets/185/

    • Enviar en el boletín
    Off